Watch your back: The mounting risks of unauthorized data access, theft and corruption in secondary storage. (SAN).
Tape media is considered the most reliable and most prevalent source for enterprise data recovery. These backup tapes are small, portable and typically stored outside the confines of the data center for offsite disaster recovery purposes. Most stored data on tapes is left in the clear on removable media-- with tape loss or qualified access being discovered long after the fact. Unauthorized users have more time to readily read tape data, analyze confidential information and, in some cases, rebuild entire systems. Tapes used for bulk data transport can be misdelivered, lost or accessed with little owner awareness.
With replication, system snapshots are duplicated and often stored at various stages outside the primary site. Replication and tape virtualization capabilities offer better automation for system and data recovery purposes. It is this automation that can also increase liabilities should access be breached and images copied.
Lastly, storage administrators and service providers who manage and support backup processes/resources have greater knowledge about, and more immediate access to, this stored data. While enterprises have implemented access controls and tighter infrastructure management provisions, such safeguards fall short of protecting access to the tape media and data repositories. Additional safeguards should be reviewed to further enhance data integrity and confidentiality--namely, stored data authentication and encryption.
Security Building Blocks
What terms are used to describe strong security besides physical access controls? Strong encryption converts clear data (plain text) into an unreadable form called "cipher-text" using a secret key or password that is unbreakable without the particular decryption key. Authentication is a process to validate a transmission, message or originator by assuring the identification a given user or system--typically in the form of passwords or digital certificates (issued by a trusted authority). Authorization determines what an authenticated entity is granted permission to do or access. Integrity is a process that establishes that data has not been modified. A key is a value that when applied to a cryptographic algorithm can be used for strong data encryption, authentication, and integrity. Key management determines how keys are created, protected, distributed, recovered, updated and terminated. Strong encryption, authentication, authorization, data integrity, and centralized key management are the means to best miti gate the access exposures in tape media, virtualized tape systems and replicated images critical for authorized data/system recovery.
Given the distributed nature of secondary storage, considerations must be made regarding data management (e.g. compression), key management and data recovery. An ideal solution would support transparent deployment, enforce a security policy, enable central and remote management and be simple to implement--if not abstracted from day-to-day administration. It would also need to address the unique persistent storage requirements involved with ensuring archival and recovery processes. For recovery purposes, encrypted tapes may need to contain metadata that securely reference the encryption system used to protect the tape. This can be implemented at the host, the storage subsystem or in a tape media security appliance.
Security is more likely to be adopted when it is transparent and non-obtrusive. Secondary storage data protection should accommodate different devices form factors, media types, volumes, media pools, interfaces, host types, media rates and so on. It should not impede the performance (read-write data rates) of the tape device--especially true for virtualized tape (disks that look like tape libraries). Operators should be able to continue to perform their tasks normally with functionality that can be deployed/enforced online, offline and nearline.
Keys will need to be mapped to media catalog data (which is vendor specific) to avoid affecting long term archival recovery. These keys will have a longer life--thus they will require protection against brute force attack (e.g. 56-bit DES will not suffice) and reasonable rekeying techniques (replacing an original key used in data protection with a new key). These characteristics ensure that storage administrators can add security into their functions without compromising data recovery or normal operating policies, processes, and procedures.
Alternative Implementation Options
Implementing data encryption using backup software at the host or backup server can produce performance bottlenecks--impacting application response and performance. Encryption keys would need to be protected and managed on the backup entities--a difficulty based on the number of hosts and their location(s). This may require the installation and managing of new software, hardware or drives on the application server or at the client. This may mandate changes to your backup applications--both on the local and remote recovery locations.
Implementing data protection at the tape library may provide considerable benefit. Library vendors are already providing media management and compression capabilities. However, this may increase the library/system cost and form factor. Here too, key management must be taken into account. This can become more complex for companies that employ different, remote or third-party-managed library systems--in which the library systems may vary at each location.
Encrypting files prior to backup is another approach that has strengths and weaknesses. If the file structure/workgroup dynamics are relatively static and simple, then the management overhead associated with file encryption may be acceptable. With such an approach strong discretionary access controls can be enforced in regards to files. However, this approach can be complex in a majority of enterprise-class environments that have a large number of files, changing file attributes, users and associated crypto keys.
This can make recovery difficult, as these files are backed up and restored at remote locations and on different media which may not have the same access requirements or infrastructure. Avoiding this issue would require replicating the primary environment--which is not often economically feasible.
A file-encryption approach may not address other applications, such as email and large databases, which may write directly to disk in raw partitions. Additionally, there are some cases in which one will loose the ability to backup primary data unless the data encryption is application specific. For example, if an application needs to recover a specific database table, one will need to have the primary environment completely mirrored on the secondary site if one encrypts the entire database file.
An Appliance Approach
By placing storage security functionality in a separately managed solution, companies can employ a more cost-effective implementation. An appliance offers the benefit of performance, centralized management, protected/managed keys, flexible deployment and seamless integration. A built for purpose encryption device offloads the processing burden associated with media encryption with nominal latency. It can support compression of the stored data prior to encryption--which would otherwise be lost if data was encrypted before it was compressed to tape.
It also offers the means for centralized management of the security function, which, in turn, provides significantly improved policy enforcement and key protection. Essentially, the keys are maintained by the appliance, associated and tracked to stored data and media, and never leave the box in the clear. An appliance can be managed remotely and placed closest to the storage library or virtualized tape--regardless of vendor, application or location. And an appliance could support protection of media across different backup applications without affecting local system administration procedures/workload. This uniformity equates to lower cost of ownership and more reliable recovery.
Storage media protection provides advantages to a broad range of secondary storage applications. Encryption and authentication can ensure authorized access to media and that the data itself has not been tampered or corrupted. It can facilitate shared and managed tape resources. It can enable outsourcing of backup and recovery functions by eliminating perceived and actual risk to/liability of unauthorized access. It can better protect bulk data distribution (which by definition is outside the trust boundary of internal operations) by assuring protection regardless if tapes are lost, stolen, or miss-delivered. It can reduce costs associated with destroying tapes containing sensitive information (since the data is encrypted). Encryption can eliminate the possibility of valued, trusted or regulated data being used should a tape, virtualized media or replicated image access be breached. Authentication can detect media data corruption or tampering during restore for strong integrity. Lastly, protecting stored data can provide compliance to ecommerce, healthcare, FDA, EU and other privacy legislation.
Secondary storage is about preservation, integrity and availability... confidentiality can now be addressed as part of a layered defense strategy for potentially distributed backup and replication data.
Scoll Cordon is vice president of marketing at NeoScale Systems (Milpilas, Calif.)
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||Feb 1, 2003|
|Previous Article:||Cost-optimizing RAID systems: comparing the availability, performance and cost of 36GB-drive striped parity (RAID-5) to 146GB-drive mirrored arrays.|
|Next Article:||New horizons in Enterprise Storage: NAS gateway precursors SAN/NAS convergence. (Cover story).|